Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/30/2020
02:00 PM
Mark Darby
Mark Darby
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Don't Slow Cybersecurity Spending: Steer into the Skid with a Tight Business Plan

We all know there are slippery conditions ahead, which is why it's never been more important for organizations to maintain and even increase their spending on cybersecurity.

We can all agree that, on paper, it's a gloomy scene right now — an economy-stunning pandemic and now global civil unrest. Is it any wonder businesses the world over are tightening the purse strings? Gartner estimates a $6.7 billion overall decrease in spending for software and services for 2020. Forrester is echoing forecasts of spending pauses. If you're a professional facing a freeze against key security projects and hires, you need to arm yourself with persuasive arguments that benefit the bean counters.

Whether you're an information security-focused entrepreneur like me or a cybersecurity specialist, drastic reductions in spending in the sector should give you pause. The twin crises of a pandemic and global civil unrest represent fertile ground for bad actors. A sudden remote workforce due to COVID-19 is putting everyone's information security to the test, while global unrest brings with it the threat of physical as well as cyber-risk. In the race to meet ever-expanding security demands, it has never been more important for business continuity to take a holistic approach to your budget.

But you're a cybersecurity professional. This shouldn't be news to you. The real conversation to be had is how to make a business case that leaves no room for doubt that your projects are a resource priority within your organization. When you're influencing budget decisions around cybersecurity spending, there are several gears to shift.

  • Revisit your asset portfolio and risk assessment: We're experiencing unprecedented and growing levels of risk. Online threats have increased sixfold since the pandemic began, with phishing attempts soaring by more than 600% since the end of February. The World Health Organization has reported a fivefold increase in cyberattacks in recent months. Without a robust and joined-up approach to information security in place, you'll be open to supply chain disruption and reputational damage. Nobody needs that given the ambiguity of our current times.

  • Acknowledge the value of your talent: ISC.org suggests a supply gap of nearly 3 million cybersecurity positions. These folks are in demand and hard to retain. If they walk, their knowledge goes, too. A continued, dedicated investment in information security retains talent. A commitment to the highest possible global independent standard proves you're serious about what drives them and protecting their professional reputations as well as your data.

  • Spot the opportunityYour organization needs to focus on growth as well as threat protection. While piecemeal investments in operational security might keep daily threats at bay, they don't contribute to the growth of the business. Buyers are more nervous than ever, and information management protocols based on recognized standards from organizations such as the International Organization for Standardization and the National Institute of Standards and Technology will likely give your organization an advantage when competing for business.

When pitching for your security budget, leverage support from those within your organization — as well as customers, partners, and supply chain — who'll see the benefit. Your public relations department will appreciate a positioning "good news" story, particularly if a competitor or player in your vertical has experienced a recent breach. Your colleagues in sales will always welcome additional selling points, like being able to demonstrate certainty around processing customer data.

Arm your CFO with a solid business case that he or she can confidently present in your absence. A respectable forecast against spending never fails to influence decision-makers in the right direction. Like most entrepreneurs, I've learned lessons the hard way, burning through money on poorly considered projects, wasting time, and investing in old ways of doing information security management that actually slowed growth.

One of the most valuable lessons I learned through hard experience is to apply a zero-based budget view for any proposed activity. This is still the approach my growing team takes when recommending spending decisions within our business and supply chain. It ensures we're continually interrogating our return on investment, ensuring, in turn, that our operational expenditure remains lean and effective.

We all know there are slippery conditions ahead, which is why now is the time for organizations to maintain and even increase their spending on cybersecurity, where that investment shows the return. Effective control and collaboration within your supply chain reduces risk and overall cost while improving business continuity and resilience. Those who make considered spending choices now will steer into the skid and find themselves ahead of the pack as they emerge into the new normal and beyond.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 

Mark is the CEO and founder of Alliantist and author of the business book Alliance Brand: Fulfilling the Promise of Partnering. With a background in business collaboration, organization development, and change management, Mark went on to develop cloud-based security system ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michelle McCarthy
50%
50%
Michelle McCarthy,
User Rank: Apprentice
7/5/2020 | 11:13:47 AM
Re: Interesting
Agreed Ryan, it can be difficult. However, what I'm taking away from the article - and from what I understand of the landscape - is that strong cybersecurity brings with it significant business advantages, which should help make the case. Advantages that need to be pitched as absolute 'must haves' for business reslience and growth potential as we climb out from the current economic pause. Certainly, demonstrable commitment to cybersecurity makes an organization more attractive to do business with and therefore more competitive when it comes to tendering, winning contracts etc. 

The zero-based budget approach is an interesting one to me. Many organisations operate a complicated framework of legacy systems when it comes to cybersecurity. It's possible that by stepping back and re-engineering existing systems, savings could be made while at the same time bolstering security. Applying some zero-based scrutiny of systems already in place could kill two birds with one stone. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 10:57:01 PM
Interesting
This article was an interesting approach. I guess it truly depends on how the pandemic affected your business bottom line. There were many good points in here but it can be difficult to make a cybersecurity pitch if your revenue was adversly affected due to the pandemic.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...